Skip to content

fix: skip credentials for public releases.jfrog.io downloads#1340

Open
toller892 wants to merge 1 commit into
jfrog:masterfrom
toller892:fix/download-to-skip-creds-on-public
Open

fix: skip credentials for public releases.jfrog.io downloads#1340
toller892 wants to merge 1 commit into
jfrog:masterfrom
toller892:fix/download-to-skip-creds-on-public

Conversation

@toller892
Copy link
Copy Markdown

@toller892 toller892 commented Jun 2, 2026

Problem

download_to(), head_request(), and storage_request() unconditionally use JF_ACCESS_TOKEN / JF_USER credentials when set — even when downloading from the public releases.jfrog.io server.

This breaks the use case where a user has their own Artifactory credentials configured (JF_URL + JF_USER + JF_PASSWORD) but is not using JF_RELEASES_REPO. The script sends those credentials to releases.jfrog.io, which returns 401 because the user doesn't exist there.

Fixes #1339

Fix

Guard all three HTTP helper functions with a REMOTE_PATH check. Credentials are only sent when JF_RELEASES_REPO is configured (which sets REMOTE_PATH), meaning the URL points to the user's own Artifactory instance. When downloading from the public server, no credentials are sent.

Before

# Always used credentials when set, even for public URLs
if [ -n "${JF_ACCESS_TOKEN:-}" ]; then
    curl -fLg -H "Authorization:Bearer ..." ...

After

# Only use credentials when downloading from user's own Artifactory
if [ -n "${REMOTE_PATH:-}" ] && [ -n "${JF_ACCESS_TOKEN:-}" ]; then
    curl -fLg -H "Authorization:Bearer ..." ...

Affected functions

  • download_to() — binary download
  • head_request() — HEAD for checksum headers
  • storage_request() — Artifactory Storage API fallback

Behavior matrix

Scenario REMOTE_PATH Credentials used?
Public download (no JF_RELEASES_REPO) empty ❌ No
Private Artifactory (JF_RELEASES_REPO set) set ✅ Yes
No credentials at all empty ❌ No (unchanged)

fix: skip credentials for public releases.jfrog.io downloads
4e68b2c 
download_to(), head_request(), and storage_request() unconditionally
used JF_ACCESS_TOKEN / JF_USER credentials when set, even when
downloading from the public releases.jfrog.io server. This caused
401 errors for users who have their own Artifactory credentials
(JF_URL + JF_USER) configured but are not using JF_RELEASES_REPO.

Guard all three functions with a REMOTE_PATH check — credentials are
only sent when JF_RELEASES_REPO is configured, which means the URL
points to the user's own Artifactory instance.

Fixes jfrog#1339
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

toller892 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Frogbot.sh used creds when not needed, breaking the working

1 participant

@toller892